Overview

overview

10

Static

static

8897db8765...80.exe

windows7_x64

10

8897db8765...80.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    8897db876553f942b2eb4005f8475a232bafb82a50ca7761a621842e894a3d80

  • Size

    56KB

  • Sample

    200630-a2p11hd5yj

  • MD5

    ecb00e9a61f99a7d4c90723294986bbc

  • SHA1

    be59c867da75e2a66b8c2519e950254f817cd4ad

  • SHA256

    8897db876553f942b2eb4005f8475a232bafb82a50ca7761a621842e894a3d80

  • SHA512

    9dee79827d865de41a63962b419eed7e1f9610ff27f00f8b7b2b9f51e905d5db907d310da590d8f1a11ac88e549373edf39bffdb44d1b205728f1b5e0a43aa5e

Score
10/10
wastedlockerdiscoveryexploitpersistenceransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\DisconnectWait.lock.txt

Family

wastedlocker

Ransom Note
ENERGYSOLUTIONS YOUR NETWORK IS ENCRYPTED NOW USE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA DO NOT GIVE THIS EMAIL TO 3RD PARTIES DO NOT RENAME OR MOVE THE FILE THE FILE IS ENCRYPTED WITH THE FOLLOWING KEY: [begin_key]OgLI0or/oNGGRSOB+9aWpC/1e5r9W6INar2TorUlA6ucqZD4EXqMUekxiI/JHRan hHz7Jk2Gc1AIyQtqyL/a3SWYghzWQx8GeRZAmEI0CV7k2wTnRM+y5RiDEPNdze6k uT+zfVp885mJijIbV/Vq6p52FFR6rt4gKmRqbHcUC1T5xs/zSCyMOHBKc8sIuJd4 Rm7jPEfy34XkoDDle9ejzroI2AZ5auuztvvHDHIUD8uMheDU441S79Q+E+5Xs6S5 ZFQHEw0Ha2EuqMGHHGhYoal43/CYqyn9ytfl3Ru9HMMMarM2pUwBVjktMy3H0KOU f1i3VSgAJAEUGmlUq9pafiv4yofLsMiJzYo31WUrv56ozk0uAGamPC8Gc2IRbsa1 UA/p3ZiyIVTpxHepsMnuGgOVa0NZ+oVMH4ZGFj+kziqWYjiOVnY11YPNOxq2BjN6 z+AuKXF98dSvlGGckmSbt5DmaWt8QtCdRzCiTlWxgnqf+V7uI5W4X/HWFa5tbTj4 DNYKmfSMbq46QsiKkRWfsSFDEYUNCa8qWzRE0D+OP7pjgFK9G0CzqWr+cXuDlGIv Eia7/VFeNRV4JV1yrdPjLKuy9kGahOJNbGbL4bGa1wXnhtUobvcqp+HTl4/I0Sz9 SGEoh8cCtwECFHH63XLDb3vJU5+W1zwUlXuTTfAmVlw=[end_key] KEEP IT
Emails

48907@PROTONMAIL.COM

78470@TUTANOTA.COM

Extracted

Path

C:\Users\Admin\Desktop\MoveDeny.mpeg3.eswasted_info.txt

Family

wastedlocker

Ransom Note
ENERGYSOLUTIONS YOUR NETWORK IS ENCRYPTED NOW USE 48907@PROTONMAIL.COM | 78470@TUTANOTA.COM TO GET THE PRICE FOR YOUR DATA DO NOT GIVE THIS EMAIL TO 3RD PARTIES DO NOT RENAME OR MOVE THE FILE THE FILE IS ENCRYPTED WITH THE FOLLOWING KEY: [begin_key]i34DEHUNZz4v4dXnXaZzEMw8LWWGz5Hx8p8OgNO/t+4E59XzfEYiE9T3WkJnk3tM v29T2bl/tukZPXI9NWFM1T6/5LxMLH2LAnJoEbba/CwLy4lPWfb4B/ilz8dEWVJD hjk5SbSrtzqzFDqFKzEmu5p4CYdt5qMMaTz1M9fHxWTWFKeD4nS1poA9V7DtkUH3 B/1U7pupwNKe9xFoQcHzehtk/4cFioBdFH9lRwvm9IlRzPbJ6HiWkkWPB9fJpi+r H0aBoejQEYDzk7YDeNs+Cm8aqTaZ/xdi5pkPKGsvOefqjKHwKlNbugKVS0kDz+Y4 48gBQkQWt+YeP/MxvY1/En9x/lj2M5aGK9pZ/YT0A3KR9FQpADyeqnLbnpdlYQ00 mZnBG9rkyY/+hogd4HJNVNu/sL9kuqSOzQgtG39akpZk4RGPF/gGGat8ExUbBNrQ AtDMysnLaAIGkM9eo1yXuEWXUgUnR3ITfQehV1A7jkQ0mQ1Wy25fbebt9ejJGNUj j3Rk79xhp7Zcc8xHBLnxBU/jdijMdsazdxDXV/Nw+WbNCQeKT/vThiJKeu+Gf1co HDH13G3dlBDfLVmBty2AT0i19AwGtQRywBm8Wxjzg+/JJSAm3GL/ct0CdoDC7qe6 2Tdv+Tjkdb1KQ9bvuJGpfmb2UGif0ZEdHR5gofzpYt/=[end_key] KEEP IT
Emails

48907@PROTONMAIL.COM

78470@TUTANOTA.COM

Targets

    • Target

      8897db876553f942b2eb4005f8475a232bafb82a50ca7761a621842e894a3d80

    • Size

      56KB

    • MD5

      ecb00e9a61f99a7d4c90723294986bbc

    • SHA1

      be59c867da75e2a66b8c2519e950254f817cd4ad

    • SHA256

      8897db876553f942b2eb4005f8475a232bafb82a50ca7761a621842e894a3d80

    • SHA512

      9dee79827d865de41a63962b419eed7e1f9610ff27f00f8b7b2b9f51e905d5db907d310da590d8f1a11ac88e549373edf39bffdb44d1b205728f1b5e0a43aa5e

    Score
    10/10
    ransomwareexploitwastedlockerdiscoverypersistence

    • WastedLocker

      Ransomware family seen in the wild since May 2020.

      ransomwarewastedlocker

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Executes dropped EXE

    • Possible privilege escalation attempt

      exploit

    • Deletes itself

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Drops file in System32 directory

    • Modifies service

      persistence
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Hidden Files and Directories

1
T1158

Privilege Escalation

Defense Evasion

File Deletion

2
T1107

File Permissions Modification

1
T1222

Modify Registry

1
T1112

Hidden Files and Directories

1
T1158

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2
T1490

Tasks